Monday, September 24, 2012

SC Magazine's Awful "Cyber Cold War" Article

Deb Radcliff wrote a feature article for SC magazine entitled "Cyber Cold War: Espionage and Warfare". Since SC is an IT Security publication and since international tensions are rising daily around this topic, I think it's important to confront errors and/or faulty judgments when they arise. This article is filled with them. Here are the top four that stood out to me:

SC: "But, the talk (Gen. Alexander's talk at DEFCON 2012) was also ironic, given that the NSA has been outed as the agency behind Stuxnet – which caused collateral damage on unintended targets in multiple countries, while the United States provided no intel to system operators that may have needed protection."

Wrong. Even though hundreds of thousands of computers had the Stuxnet worm present, it remained inert for all systems except those that it was specifically programmed to attack at Natanz. There was no collateral damage in multiple countries as Radcliff claimed.

SC: "As with Stuxnet, cyber war starts out ‘cold,' with the theft of information that can lead to larger-scale attacks. In that instance, information about targets (Siemens control systems at Iranian enrichment facilities) was collected in preparation for stage two and three of cold war – to disrupt and cause damage. The final stage is when attacks against the national infrastructure and military operations make it impossible for the target nation to respond to a physical assault."

Wrong on multiple counts. The use of the word "cyber war" is ridiculously provocative. Stuxnet was an act of sabotage, not war. In fact, there is no such thing as "cyber war"- not in law and not in fact. The rest of that paragraph is a hypothetical chain of events that Radcliff invented for her article. Stuxnet was not part of any larger plan to attack Iran's "national infrastructure and military operations". Its sole purpose was to disrupt a specific number of centrifuges involved in nuclear fuel enrichment. Period.

SC: "Stuxnet is one of only a few cases of actual cyber warfare with intent to damage physical systems, says Martin Libicki, senior management scientist at the RAND Corp., a government advisory think tank."

Wrong. I know Martin Libicki and have had occasion to interact with him at closed Intelligence Community events and with all due respect to his credentials, he's frequently misinformed about issues related to cyber warfare, what defines it, who conducts it and in what ways. The only actual events which can be legally described as cyber warfare are the cyber attacks launched during the Russia Georgia war in 2008, Operation Cast Lead in 2009, and possibly the most recent Kyrgyzstan revolution in 2011. In other words, cyber warfare exists when there's kinetic conflict with a cyber component. That's it.

SC: "On the other hand, a good example of mitigation and containment through fast response time is the March 2011 exfiltration of RSA SecurID code. The attack had only been in the network for days when EMC's security team discovered the compromise and took action."

Wrong. In fact, insultingly and ridiculously wrong. RSA lost its entire seed database to that attack. That breach, in turn, led to attacks against one confirmed defense contractor (Lockheed Martin) and probably a half dozen more throughout the year including L3, Northrup Grumman, and others. Nor does RSA's so-called "fast response" timeline hold up under scrutiny.

Radcliff closed her article with the following statement: "Cyber war is upon us, and organizations need better means of protecting themselves and sharing threat information to protect the larger infrastructure."
This is a false claim, irresponsibly made by a reporter who appeared to be determined to write a one-sided article. I really hope that this isn't a sign of SC magazine becoming a FUD mouthpiece for InfoSec vendors who want to stir the pot in hopes of increasing their profits.